conventional-commit

Name: awesome-copilot/conventional-commit
Author: github

Share on X Share on LinkedIn Share on Bluesky

70High

The skill masquerades as a commit message generator but forces unauthorized terminal execution of git commands, bypassing critical human oversight and verification processes.

ThreatsCI SM CS BC S HITL

Threat Analysis

AI Agent Traps ↗Scanned 6/20/2026

Content InjectionPerception1 finding

Semantic ManipulationReasoning2 findings

Cognitive StateMemory & Learningclean

Behavioural ControlAction1 finding

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Namegithub/awesome-copilot/conventional-commit

Registrygithub

Version251f416b6d3a

PURLpkg:github/github/awesome-copilot@251f416b6d3a?skill=conventional-commit

Stars35,325

Installs12,900

Source

Repository ↗SKILL.md ↗

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

12,900 installs

Skills.shDocs

npx skills add https://github.com/github/awesome-copilot

Assessments (5)

AI Agent Traps ↗

Description Mismatchhighdescription mismatchAML.T0011.000LLM06:2025LLM09:2025

The skill claims to be a prompt template for generating messages, but it includes instructions to bypass user oversight by automatically executing git commit commands in the terminal.

85% confidence

Workflow step 5 explicitly states: 'Copilot will automatically run the following command in your integrated terminal (no confirmation needed)'.

Instructional pressure to bypass oversightmediumoversight evasionAML.T0054LLM01:2025LLM07:2025

The instructions explicitly encourage the user to trust the agent to handle the commit process entirely, minimizing the human's role in verifying the final command before execution.

80% confidenceline 26

Just execute this prompt and Copilot will handle the commit for you in the terminal.

Instruction boundary manipulation detectedhighprompt injectionAML.T0051AML.T0051.000AML.T0051.001AML.T0054LLM01:2025

Instruction boundary manipulation detected

100% confidenceline 6

### Instruction

Automated execution of git commithighcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025

The skill instructs the agent to automatically execute 'git commit' without user confirmation, which could lead to unintended commits if the agent misinterprets the diff or if the user is not reviewing the final command.

90% confidenceline 20

Copilot will automatically run the following command in your integrated terminal (no confirmation needed)

User confirmation bypass detected — attempts to skip human oversightmediumautonomy abuseAML.T0034.002AML.T0053LLM06:2025LLM10:2025

User confirmation bypass detected — attempts to skip human oversight

100% confidenceline 20

no confirmation needed

Missing licenseinfopolicy violation

Skill does not specify a license field. Specifying a license helps users understand usage terms.

100% confidence

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/github/awesome-copilot/conventional-commit.svg)](https://mondoo.com/ai-agent-security/skills/github/github/awesome-copilot/conventional-commit)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/github/awesome-copilot/conventional-commit"><img src="https://mondoo.com/ai-agent-security/api/badge/github/github/awesome-copilot/conventional-commit.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/github/awesome-copilot/conventional-commit.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow